Into The Wild Blue Yonder

Australian public and private organisations across a myriad of sectors are currently investigating and embracing the technological and competitive benefits of using remotely piloted aircraft called unmanned aerial vehicles (UAVs), or drones. Goldman Sachs (Drones: Reporting for Work) predicts that Australia’s drone spending will be an estimated US$3.1 billion between 2017 and 2021. And Australia’s Civil Aviation Safety Authority (CASA) estimates there are currently over 1,000 registered commercial operators.

While the US and Europe currently lead enterprise use of UAVs, Australian businesses have been quick to capitalise on the benefits of the technology. Some examples of how organisations are implementing drones as strategic tools include:

Along with the numerous benefits comes the need for organisations to review legal and regulatory issues around airspace, privacy, security and safety in order to protect the business and individuals. In 2013, a drone flew into a car on the Sydney Harbour Bridge. In 2014, an athlete competing in a West Australian triathlon event was injured by a drone being used to film the event. The Australian Transport Safety Bureau noted that accidents involving drones grew from 14 incidents over eight years from 2006–2013 to 37 in just one year from 2014–2015 (West Australian News, Jan 2017). There are also implications that UAVs could be used for terrorist activities.

a) small drones (under 2kg) – operators can now work without an operator’s certificate but still require a once-off registration

b) large drones (over 2kg) – operators must be registered and apply for the Unmanned Aircraft Operators Certificate, which can cost between $5,000 and $10,000.

These regulatory changes have largely been viewed as a relaxing of the rules, but whether operating small or large drones, organisations still need to be aware of and act in accordance with CASA’s legal requirements and consider the business implications (regulatory, financial and safety) before deploying drone technology. Specifically, is the organisation ready to operate an aviation department?

In March, ISACA issued a white paper, Rise of the Drones: Is Your Enterprise Prepared?, which presents detailed questions and scenarios that management should answer when contemplating whether drone technology is right for their organisation. Key questions include:

1. Is running an aviation operation in line with the organisation’s mission? Core business? Capabilities?

2. Are uses of the enterprise’s UAVs consistent with the company’s ethics policy?

3. Is the business prepared to operate and manage an internal aviation department? Is the organisation ready to assume the responsibilities of flight operations? Has the organisation identified all the complexities and challenges of operating an internal certified flight operations function?

4. What added risk and liabilities will the organisation encounter once it establishes an aviation function/department and who is responsible for all of the compliance requirements associated with this function? How is this risk expected to be mitigated?

5. Who is responsible for assessing and authorising applications of the drone technology to specific business usages/purposes?

6. How is UAV technology classified within the enterprise? Is it IT? Is it operations?

7. What procedures exist to attest that any organisational use of UAV technology: (a) is legal; (b) is authorised and approved by executive management; (c) is conducted according to established operational protocols; and (d) meets or exceeds legal compliance requirements?

8. Will the company be able to immediately comply with any legislation and regulations for the safe and proper operation of its UAV fleet?

9. Does the organisation maintain a policy for acceptable use of UAV technology? If not, does the absence of such a policy represent a potential liability to the organisation?

10. Does the organisation maintain appropriate levels of insurance, covering the operation, maintenance, storage and security of the UAV and its related technologies?

Privacy and Security

In addition to preparing the business case and organisational risk analysis for using drone technology, organisations should also consider the potential privacy and security issues. CASA stipulates personal privacy should be respected, and outlines height and proximity rules. However, there is currently very little legal recourse.

Government agencies, such as the Commonwealth House of Representatives and Senate Standing Committee on Rural and Regional Affairs and Transport, have called for more legislative regulation, ranging from updating the Privacy Act, to requiring manufacturers to provide educational brochures regarding individuals’ privacy rights.

The Australian Law Reform Commission recently called for a “tort of privacy” to be written to guard against intrusions and allow individuals to sue for damages. Australian courts have currently rejected the recommendation, although this may change as more drones are purchased for recreational and commercial use. Other countries have already incorporated remotely piloted aircraft into their privacy laws.

Organisations also need to ensure their security measures adequately protect data gathered from the drone, and guard against unauthorised access of the on-board technology, programming and recording equipment. Processes and procedures also need to be drafted and adhered to for decommissioning drones, including purging sensitive data.

In conclusion, an organisation’s decision to incorporate drone technology into the business means establishing and operating an aviation department within its business operations. Outsourcing this activity to a third party does not necessarily discharge the organisation from the responsibility to ensure that compliance is maintained and appropriate controls are in place to mitigate the risk.

Poised to enable a tremendous leap forward in information collection and knowledge transfer, UAVs can bring enormous competitive, safety, financial and research benefits to an enterprise. However, if not properly controlled, monitored and implemented, they can also lead to significant and potentially disastrous unintended outcomes.

Garry Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management and governance, having worked in a number of New South Wales public sector agencies and in banking and consulting. ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global non-profit association of 140,000 professionals in 180 countries.